b'HHS/OIG, Audit - "Review of Medicare Contractor Information Security\nProgram Evaluations for Fiscal Year 2004," (A-18-05-02600)\nDepartment of Health and Human Services\nOffice of Inspector General -- AUDIT\n"Review of Medicare Contractor Information Security\nProgram Evaluations for Fiscal Year 2004," (A-18-05-02600)\nSeptember 27, 2006\nComplete Text of Report is available in PDF format (1.04 mb). Copies can also be obtained by contacting the Office of Public Affairs at 202-619-1343.\nEXECUTIVE SUMMARY:\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information security program evaluations and data center technical assessments and (2) report the results of those evaluations and assessments.\xc2\xa0We found that the scope of the contractor information security program evaluations adequately encompassed the eight major requirements enumerated in the Federal Information Security Management Act (FISMA).\xc2\xa0Also, the scope of the data center technical assessments was adequate for testing information security controls.\xc2\xa0The work performed to evaluate contractor information security programs was sufficient to fully address the FISMA requirements referenced in Section 912 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003, and the information included in the evaluation reports was supported by documented evidence.\xc2\xa0The documentation supporting the tests of information security controls for a subset of systems was generally sufficient to support the results reported in the technical assessment reports.\xc2\xa0Regarding the results of evaluations and assessments, in 32 evaluation reports, auditors identified a total of 217 gaps between FISMA or Centers for Medicare & Medicaid Services (CMS) core security requirements and the contractors\xe2\x80\x99 implementation of those requirements.\xc2\xa0In addition, the 14 data center technical assessment reports prepared by CMS\xe2\x80\x99s security consultant identified 412 gaps across all 14 data centers.\xc2\xa0CMS generally agreed with the information we presented.'